Acceptance Baseline Criteria¶
Acceptance Baseline Criteria (ABC) are the minimum requirements you must satisfy when establishing containers you submit to Game Warden that are slated for your Production (PRD) environment.
Game Warden’s ABC is aligned with the Defense Information Systems Agency (DISA) DevSecOps Enterprise Container Hardening Guide v1.2, sections 2.2–2.4. The goal is to provide clarity and context to all parties operating within Game Warden.
This content represents a living policy document and will be updated as needed. A history of changes will be added as they occur, and any major revisions that impact our partners, vendors, or customers will result in document re-socialization.
Insight¶
The current Department of Defense (DoD) process for hardening, remediating, justifying, and certifying is time-consuming and often produces disparate outcomes – creating confusion internally and for our partners, customers, and contributors. When contributors are unable to complete the current process, their applications cannot be added to DoD artifact repositories and are unavailable as hardened images for DoD consumers. To promote a more efficient process, Game Warden strives to provide a clear and consistent experience while more closely aligning our process with current DoD guidance and policies.
Container Acceptance Baseline Criteria¶
Methodology¶
Game Warden will adhere to the following process:
- Ensure the current process is documented, and all requirements enumerated.
- Align with DISA standards.
- Centralize and define all minimum standard criteria for containers for internal and external consumption.
- Ensure containers meet a minimum-security standard as outlined above, and define the process for any deviation.
Approval Process¶
From the mitigation reports, the Game Warden Approver can determine if the results warrant approving the container. The four options are as follows: Rejected, Conditional Approval with Time Limit, Conditional Approval, and Approved.
- Rejected – The container has been reviewed, and it was determined that it does not meet DoD standards for DoD enterprise-wide distribution.
- Conditional Approval Time Limit – The container will be approved, provided the findings are remediated or mitigated within a configurable number of days – contingent upon the organization directive.
- Conditional Approval – The container has been approved with current mitigations in place.
- Approved – The container has been approved for distribution as is.
Vulnerability Lifecycle Timelines and Service Level Agreements¶
| Severity | CVSS Score | Justifications | Mitigation Tolerance | Mitigation/Remediation | Remediation CVE Age Tolerance (Publish Date) |
|---|---|---|---|---|---|
| Critical | 9.0 - 10.0 | Must provide within 5 calendar days of detection. | 1 Finding | Mitigate or remediate within 15 calendar days from the date of detection. | Remediate in less than 3 months of CVE discovery. |
| Important/ High | 7.0 - 8.9 | Must provide within 10 calendar days of detection. | 4 Findings | Mitigate or remediate within 35 calendar days from the date of detection. | Remediate in less than 6 months of CVE discovery. |
| Moderate/ Medium | 4.0 - 6.9 | Must provide within 30 days of detection. | N/A | Mitigate or remediate within 180 calendar days from the date of detection. | N/A |
| Low | 0.0 - 3.9 | Must provide within 60 days of detection. | N/A | Mitigate or remediate within 360 calendar days from the date of detection. | N/A |
| Negligible/ Not Yet Assigned | N/A | Must provide within 60 days of detection. | N/A | Mitigate or remediate within 360 calendar days from the date of detection. | N/A |
Note
Unknown CVEs will be treated similarly to Negligible/Not Yet Assigned CVEs.
Compliance Results' Lifecycle Timelines¶
| Severity | Description | Justifications | Mitigation/Remediation |
|---|---|---|---|
| Stop | Critical error that should stop the deployment by failing the policy evaluation, similar to a High vulnerability. | Must provide within 10 days of detection. | Mitigate or remediate within 35 calendar days from the date of detection. |
| Warn | Issue a warning, similar to a Medium vulnerability. | Must provide within 30 days of detection. | Mitigate or remediate within 180 calendar days from the date of detection. |
| Go | Ok to proceed, similar to a Low vulnerability. | Must provide within 60 days of detection. | Mitigate or remediate within 360 calendar days from the date of detection. |
Justifications¶
| Justification: Upstream Contributor / Package Manager | Finding Justification Guidelines | Additional Information |
|---|---|---|
| False Positive | No mitigation or remediation required. | False positives include items that a scanner incorrectly identifies such as a wrong package or version. This does NOT include findings that are mitigated or "not exploitable". |
| Disputed | No mitigation or remediation required. | Issues marked as DISPUTED within the National Vulnerability Database (NVD). This does NOT include issues a contributor is disputing. It must be marked as such within the NVD. |
| Won't Fix | No mitigation or remediation required. | Upstream (not Operating System (OS) distribution such as Redhat, Debian, Ubuntu) states they will not fix the security flaw. |
| Distro – Won't Fix | No mitigation or remediation required. | Issues marked as WONT_FIX by the vendor. Reserved for OS distribution packages. |
| No Fix Available | Must be mitigated; must be remediated. | There is no patch available. This ONLY considers the vulnerable library itself, not downstream products. |
| Distro – Pending Resolution | Must be mitigated; must be remediated. | Vulnerability is for a library provided by the OS distribution. Only applicable when using the latest version of a distribution and library. |
| Mitigated | Mitigation is complete; must be remediated. | Issue has a mitigation that reduces severity or risk. |
| Not Vulnerable | Mitigation is complete; must be remediated. | Issue is not exploitable within the application. |
| Unreleased | Must be mitigated; must be remediated. | Fix is available in a branch for the next release but is not available. |
| Pending Resolution | Must be mitigated; must be remediated. | Upstream project is aware of vulnerability and is tracking an issue ticket to fix. |
| True Positive | Must be mitigated; must be remediated. | Image is vulnerable to this finding. Default state of a new finding. |
| Policy N/A | No mitigation or remediation required. | Product functionality requires security policy exception. (Only applies to policy findings, not CVEs.) |
For additional information, read Common Vulnerabilities and Exposures, and Best Practices.